Re: Snort not generating alerts

[James Dickenson <jdickenson () gmail com>]

Matt,

I skimmed through that doc.  I didn't see anywhere that they have you
configure the rulesets running on the sensor.  They have you set the paths
for the whitelist and blacklist for the IP reputation preproc but no rule
enable/disabling that I can see.

You should see near the end of your snort.conf where the rules are enabled
and disabled they should look something like this

*snip*
include $RULE_PATH/attack-responses.rules
#include $RULE_PATH/backdoor.rules
*snip*


Go through those and figure out what makes sense for you to run.  If it has
a pound in front of it is commented out obviously.  You can also do a 'wget
www.testmyids.com' to test to see if your sensor is up and working.  The
other option is to look at pulledpork and modify your snort.conf to use
that to manage and update  your rulesets.  Most people recommend doing that
as managing them by hand can be quite tedious.


There is alot of other tuning that can and probably should be done in the
snort.conf file I suggest looking through it and familaring yourself with
it.  Start with the rules and HOME_NET and EXTERNAL_NET then look at the
preprocessors starting with stream5 and frag3 preproc.

Hopefully that gets you up and running.

Good luck!

-James


On Wed, Oct 23, 2013 at 8:15 AM, Matt . <sttwok82 () gmail com> wrote:

> Resending as this apparently didn't go through yesterday.
>
> I'm ramping up on Linux and Snort, so not highly familiar with them yet.
> That said I've installed Snort and Snort Report onto Ubuntu 12.04 via the
> instructions at the following URL and fixed the errrors that prevented
> snort and barnyward2 from running.
> http://www.symmetrixtech.com/articles/016-snortinstallguide2953.pdf
>  At this point I am not able to determine why it's not generating alerts
> after test vulnerbility scanrs are run, the log files are empty. If I add
> the following lines uncommented out to the bottom of snort.conf, data is
> put into the log files and database. But once I comment out the lines
> nothing is generated.
>
> #alert ip any any -> any any (msg:"Got an IP Packet";
> classtype:not-suspicious; sid:2000000; rev:1;)
>
> #alert icmp any any -> any any (msg:"Got an ICMP Packet";
> classtype:not-suspicious; sid:2000001; rev:1;)
> #alert icmp any any -> any any (msg:"ICMP Large ICMP Packet"; dsize:>800;
> reference:arachnids,246; classtype:bad-unknown; sid:2000499; rev:4;)
>  I've searched online and am stumped. Any assistance, pointers,
> recommendations would be much appreciated.
>  Thanks,
> Matt
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!